设置Linux防火墙

设置 Linux 服务器防火墙脚本，Web_iptables.sh

1. 通过内网可访问服务器所有开放端口
2. 给跳板机开放sshd端口连接服务器
3. 信任ip 所有端口均开放
4. 开放部分端口供外部访问

#!/bin/bash

#Intranet_network=`ifconfig eth1 |grep "inet addr"|awk -F: '{print $2}'|awk '{print $1}'|awk -F "." '{print $1}'`
#取得本机内网IP
function getLocalInnerIP()
{
        ifconfig | grep 'inet addr:' | awk -F"inet addr:" '{print $2}'  | awk '{print $1}' | while read theIP; do
            A=$(echo $theIP | cut -d '.' -f1)
            B=$(echo $theIP | cut -d '.' -f2)
            C=$(echo $theIP | cut -d '.' -f3)
            D=$(echo $theIP | cut -d '.' -f4)
            int_ip=$(($A<<24|$B<<16|$C<<8|$D))
            #10.0.0.0(167772160)~10.255.255.255(184549375)
            if [ "${int_ip}" -ge 167772160 -a "${int_ip}" -le 184549375 ]; then
                echo $theIP
            elif [ "${int_ip}" -ge 2886729728 -a "${int_ip}" -le 2887778303 ]; then     #172.16.0.0(2886729728)~172.31.255.255(2887778303)
                echo $theIP
            elif [ "${int_ip}" -ge 3232235520 -a "${int_ip}" -le 3232301055 ]; then   #192.168.0.0(3232235520)~192.168.255.255(3232301055)
                echo $theIP
            fi
        done
}
innerIP=`getLocalInnerIP`
Intranet_network=`echo $innerIP|awk -F "." '{print $1}'`

IPT=/sbin/iptables

#tiaobanji
#TIAOBANJI="218.17.152.189 113.107.167.90 58.253.68.90"
TIAOBANJI=""

#trust ip
ETL1=219.129.216.224
LAN_IP=$Intranet_network.0.0.0/255.0.0.0

#guangzhou idc ip
yw1=43.230.88.130

#NAGIOS_IP=121.10.141.196
TRUST_IP="$LAN_IP $ETL1 $yw1 121.10.141.196"

# Delete Any Existing Chains In Filter Table
$IPT -F -t filter
$IPT -X -t filter
$IPT -Z -t filter

### Allow TRUST IP (LAN_IP ETL1 ETL2 GM1 GM2 ACCPET)
for TURST in $TRUST_IP
do
        $IPT -A INPUT -s $TURST -j ACCEPT 
done

#tiaobanji
for TBJ in $TIAOBANJI
do
        $IPT -A INPUT -s $TBJ -p tcp --dport 16333 -j ACCEPT
done

# localhost
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### The ALL network for open ports
$IPT  -A INPUT  -p tcp -m multiport --dports 80,443,8080 -j ACCEPT
$IPT  -A INPUT  -p tcp -m multiport --dports 9202,9200,9300,9400,9500 -j ACCEPT
$IPT  -A INPUT  -p tcp -m multiport --dports 9001,9002,9003,9004,9005 -j ACCEPT

### The zabbix server
$IPT -A INPUT -s 113.107.166.246 -p tcp --dport 10050 -j ACCEPT

# Setting Default Policies, just accept output, drop any other
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

### save iptables 
/etc/init.d/iptables save

exit

#!/bin/bash
IPT=/sbin/iptables

$IPT -F
$IPT -P INPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -s 120.25.153.31 -j ACCEPT
$IPT -A INPUT -p tcp --dport 36000 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10050:10051 -j ACCEPT
$IPT -A INPUT -s 120.25.153.31 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -s 183.14.0.0/16 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -s 183.14.1.0/24 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -s 120.25.153.32 -j DROP
$IPT -A INPUT -j DROP